On Tue, 19 Oct 2021, Frank Liu wrote:
We are using libreswan 3.25 bundled with centos 7.9, having a tunnel with Cisco
ASA with DPD
enabled. Occasionally, the tunnel stops working, and a manual restart of
libreswan will
always be able to fix it.
We are thinking of upgrading to the latest 4.5 from
https://download.libreswan.org/binaries/rhel/7/x86_64/ and see if it is more
stable. Is 4.5 a
simple drop-in upgrade to 3.25 if we do rpm -U?
It should be, yes.
Note some defaults did change which might require tweaking your config
files. A quick grep on the CHANGES file between 3.26 and 4.5 show:
* pluto: Change default ikelifetime from 1h to 8h [Paul]
* pluto: change default IKE SA lifetime from 1h to 8h [Paul]
* IKEv2: Remove SHA1 from default proposal list [Paul]
* IKEv2: Prefer RFC 7427 Digital Signatures for default authby=rsasig [Sahana]
* pluto: Add chacha20_poly1305 and curve25519 to default proposals [Paul]
* IKE: Change default connection from IKEv1 to IKEv2 [Paul]
If you did not set ike2= before, meaning you were using IKEv1, you need
to add ikev2=no
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
